The introduction of the Data (Use and Access) Bill to the UK Parliament on 3rd October 2024 represents a significant moment in the evolution of the UK’s data protection framework. While the bill promises greater clarity around legitimate interests, secondary processing, and automated decision-making, it also raises concerns about whether these changes truly advance the principles of data protection or merely simplify business operations at the cost of individuals’ privacy.
In this opinion piece, I will argue that while the bill contains provisions that could enhance data handling efficiency, there is a risk that it might dilute the very safeguards that data protection legislation was designed to enforce. The balancing act between economic growth, innovation, and protecting individual rights is delicate, and this bill, in my view, tips too far in favour of business interests over privacy.
Recognised Legitimate Interests: A Risky Precedent?
One of the key features of the bill is the introduction of a list of ‘recognised legitimate interests’ that allow for the processing of personal data without needing explicit consent. These interests include matters like national security, public safety, and crime prevention—noble causes, no doubt. But it also opens the door to broader interpretations of what constitutes a ‘legitimate interest.’
The concern here lies in how these legitimate interests are applied in practice. While safeguarding vulnerable individuals and responding to emergencies are unquestionably important, broadening the scope of legitimate interests risks weakening the requirement for organisations to obtain explicit consent in situations where it would traditionally be required. The vagueness surrounding what constitutes an emergency or national security threat could, over time, erode the very concept of consent and give controllers too much leeway.
In my opinion, this provision could set a dangerous precedent, allowing organisations to sidestep individuals’ rights in the name of perceived legitimate interests. The bill needs tighter definitions and clearer boundaries around these interests, ensuring that they are used sparingly and transparently.
Secondary Processing: Compatibility or Overreach?
Another notable change in the bill is the allowance for secondary processing of data for purposes that are considered compatible with the original reason for collection. On the surface, this appears reasonable—allowing flexibility for data to be used in ways that benefit both the controller and the data subject. However, the criteria for what is considered ‘compatible’ are somewhat ambiguous.
The bill lists several circumstances where secondary processing would be deemed compatible, such as protecting vital interests, safeguarding vulnerable individuals, or fulfilling tax obligations. These seem like reasonable exceptions, but the key issue is the potential for overreach. Once secondary processing is permitted for certain reasons, it becomes easier to expand the list of exceptions over time.
In my view, this is a slippery slope. Without strict limits on secondary processing, we risk normalising the repurposing of personal data in ways that were never intended or anticipated by the individual when they originally provided their data. This could erode trust in data controllers, leading individuals to become more hesitant in sharing personal information.
Automated Decision-Making: Safeguards or Loopholes?
The bill introduces requirements for automated decision-making, particularly in cases where decisions have significant legal or similarly important effects on individuals. While this is a positive step towards addressing the increasing role of AI and algorithms in decision-making, the bill’s exemptions for certain decisions raise concerns.
Specifically, the bill allows for exemptions in cases involving public security, crime prevention, and national security. While these exemptions may be justified, they also create potential loopholes where organisations could rely on automated decision-making without appropriate oversight. The safeguards for significant decisions, such as allowing individuals to request human intervention or contest decisions, are commendable, but exemptions could undermine these protections.
In my view, the introduction of automated decision-making standards is long overdue, but the bill’s exemptions risk creating a two-tiered system—one where individuals affected by certain types of decisions receive fewer protections than others. This could lead to a growing distrust in automated systems, particularly in sensitive areas like law enforcement or public security.
International Data Transfers: Striking the Right Balance?
One of the most contentious areas in data protection is the issue of international data transfers. The bill introduces a ‘data protection test’ for approving data transfers to third countries or international organisations. While this test simplifies the process compared to the previous ‘essentially equivalent’ standard from the GDPR, it also raises concerns about lowering the bar for protection.
The new standard, which requires that third countries offer protection that is ‘not materially lower’ than the UK’s, is less stringent than the previous approach. While this may facilitate smoother international data flows, it also risks weakening protections for UK citizens whose data is transferred abroad. Given the UK’s desire to position itself as a hub for digital trade, there is a risk that this relaxation of standards could be seen as prioritising business interests over individual rights.
In my opinion, the UK must be cautious in how it applies this new standard. While international data flows are critical to modern commerce, they should not come at the expense of individuals’ privacy. The government must ensure that any agreements with third countries provide robust protections and that the ‘data protection test’ is applied rigorously.
Conclusion: A Step Too Far?
The Data (Use and Access) Bill is undoubtedly a step forward in streamlining data protection processes and enabling more efficient data handling practices. However, the bill’s focus on business interests—whether through the expansion of legitimate interests, secondary processing, or relaxed standards for international data transfers—raises significant concerns about the erosion of individual privacy rights.
In my view, the bill tips the balance too far in favour of business and government interests. While economic growth and innovation are essential, they must not come at the expense of the privacy and trust that data protection laws are designed to safeguard. The bill must be amended to tighten the definitions around legitimate interests, ensure that secondary processing remains the exception rather than the rule, and uphold the highest standards for international data transfers.
As the bill progresses through Parliament, it is critical that lawmakers strike the right balance between fostering innovation and protecting the privacy rights of individuals. If this balance is not achieved, the UK risks undermining its reputation as a leader in data protection and, more importantly, losing the trust of its citizens.
